This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.
Continue
Learn More

Some cookies on this site are essential, and the site won't work as expected without them. These cookies are set when you submit a form, login or interact with the site by doing something that goes beyond clicking on simple links.

We also use some non-essential cookies to anonymously track visitors or enhance your experience of the site.

To control third party cookies, you can also adjust your browser settings.

W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from
address books and from files with the following extensions: wab,
txt, htm, sht, php, asp, dbx, tbb, adb and pl.

W32/MyDoom-A creates a file called Message in the temp folder and
runs Notepad to display the contents, which displays random characters.

W32/MyDoom-A uses randomly chosen email addresses in the "To:" and
"From:" fields as well as a randomly chosen subject line. The emails
distributing this worm have the following characteristics.

Message texts:
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary
attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

The worm can also copy itself into the shared folder of the
KaZaA peer-to-peer application with one of the following filenames
and a PIF, EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5

W32/MyDoom-A creates a file called taskmon.exe in the system or
temp folder and adds the following registry entry to run this
file every time Windows starts up:

Please note that on Windows 95/98/Me, there is a legitimate file
called taskmon.exe in the Windows folder.

W32/MyDoom-A also drops a file named shimgapi.dll to the temp or
system folder. This is a backdoor program loaded by the worm that
allows outsiders to connect to TCP port 3127. The DLL adds the
following registry entry so that it is run on startup:

Between the 1st and 12th February 2004, the worm will attempt a
denial-of-service attack on www.sco.com, sending numerous GET
requests to the web server. After the 12th February W32/MyDoom-A
will no longer spread, due to an expiry date set in the code. It
will, however, still run the backdoor component.